|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| 作者:lb_0815 此软件不错,闲来无事,想写个注册机。软件用Acprotect保护,脱壳无力,带壳破解。 先看帮助 可知注册码格式,设为:X1X2X3X4X5X6X7X8-Y1Y2Y3Y4Y5Y6Y7Y8-Z1Z2Z3Z4Z5Z6Z7Z8-W1W2W3W4W5W6W7W8,注册码长度为35。 脱壳用DeDe反编译,得知“注册”按钮事件为0041FC3C 在主界面点击“注册”,在弹出的注册界面上注册码框输入:“11123456-84024397-33328576-63445289”,点击“注册”按钮,OllyDbg拦截在: 0041FC3C 55 push ebp 0041FC3D 8BEC mov ebp,esp 0041FC3F 81C4 B8FEFFFF add esp,-148 …… 0041FD6A 837D FC 00 cmp dword ptr ss:[ebp-4],0 堆栈 ss:[0012F1B4]=098DC684, (ASCII "11123456-84024397-33328576-63445289") 0041FD6E 74 08 je short ZnCycd.0041FD78 0041FD70 8B55 FC mov edx,dword ptr ss:[ebp-4] 输入的伪注册码 0041FD73 8B4A FC mov ecx,dword ptr ds:[edx-4] 伪注册码长度 …… 0041FD92 BA 05000000 mov edx,5 ; index=5 0041FD97 8B98 F8020000 mov ebx,dword ptr ds:[eax+2F8] 0041FD9D 33C0 xor eax,eax 0041FD9F 8945 E4 mov dword ptr ss:[ebp-1C],eax 0041FDA2 81C3 18020000 add ebx,218 0041FDA8 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 0041FDAE 8B03 mov eax,dword ptr ds:[ebx] 0041FDB0 8B18 mov ebx,dword ptr ds:[eax] 0041FDB2 FF53 0C call dword ptr ds:[ebx+C] ; index=5, 字符串“35” 0041FDB5 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0041FDB8 E8 7FCD0A00 call <ZnCycd.NumstrToHexvalue> ; hex_value=23h 0041FDBD 40 inc eax 0041FDBE 3B85 D4FEFFFF cmp eax,dword ptr ss:[ebp-12C] ; 与注册码长度比较 …… 0041FDE6 BA 05000000 mov edx,5 0041FDEB 8B06 mov eax,dword ptr ds:[esi] 0041FDED 8B18 mov ebx,dword ptr ds:[eax] 0041FDEF FF53 0C call dword ptr ds:[ebx+C] ; index=5,取注册码长度 0041FDF2 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0041FDF5 E8 42CD0A00 call <ZnCycd.NumstrToHexvalue> 0041FDFA 3B85 D4FEFFFF cmp eax,dword ptr ss:[ebp-12C] ; 与注册码长度比较 0041FE00 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0041FE03 0F9FC2 setg dl ; 不相等设置标志,注册码长度需等于35 0041FE06 83E2 01 and edx,1 0041FE09 52 push edx 0041FE0A BA 02000000 mov edx,2 0041FE0F FF8D FCFEFFFF dec dword ptr ss:[ebp-104] 0041FE15 E8 7EC80A00 call ZnCycd.004CC698 0041FE1A 59 pop ecx 0041FE1B 85C9 test ecx,ecx ; 比较标志 0041FE1D 75 04 jnz short ZnCycd.0041FE23 ; 跳转over …… 004201AC BA 0A000000 mov edx,0A 004201B1 8D45 FC lea eax,dword ptr ss:[ebp-4] 004201B4 B9 02000000 mov ecx,2 004201B9 E8 9AC80A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Y1Y2,伪注册码从第10位取两位字符 004201BE 8D45 BC lea eax,dword ptr ss:[ebp-44] 004201C1 33D2 xor edx,edx 004201C3 50 push eax 004201C4 8955 C0 mov dword ptr ss:[ebp-40],edx 004201C7 8D4D C0 lea ecx,dword ptr ss:[ebp-40] 004201CA BA 01000000 mov edx,1 004201CF 51 push ecx 004201D0 B9 02000000 mov ecx,2 004201D5 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004201DB 8D45 FC lea eax,dword ptr ss:[ebp-4] 004201DE E8 75C80A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取X1X2,伪注册码从第1位取两位字符 004201E3 8D45 C0 lea eax,dword ptr ss:[ebp-40] 004201E6 33D2 xor edx,edx 004201E8 8955 B8 mov dword ptr ss:[ebp-48],edx 004201EB 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 004201EE FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004201F4 5A pop edx 004201F5 E8 E2C40A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; X1X2Y1Y2 004201FA 8D55 B8 lea edx,dword ptr ss:[ebp-48] 004201FD 8D45 F8 lea eax,dword ptr ss:[ebp-8] …… 0042023E 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00420241 E8 F6C80A00 call <ZnCycd.NumstrToHexvalue> ; 字符“1184”变为值4a0h 00420246 8BD0 mov edx,eax ; X1X2Y1Y2 00420248 B9 03000000 mov ecx,3 0042024D 8D0442 lea eax,dword ptr ds:[edx+eax*2] 00420250 8D0482 lea eax,dword ptr ds:[edx+eax*4] ; X1X2Y1Y2×13 00420253 99 cdq 00420254 F7F9 idiv ecx ; X1X2Y1Y2×13\3 00420256 8B95 DCFEFFFF mov edx,dword ptr ss:[ebp-124] 0042025C 8B8A F4020000 mov ecx,dword ptr ds:[edx+2F4] 00420262 8941 0C mov dword ptr ds:[ecx+C],eax ; eax为140Ah …… 00420287 BA 01000000 mov edx,1 0042028C 8B99 80030000 mov ebx,dword ptr ds:[ecx+380] 00420292 8945 B4 mov dword ptr ss:[ebp-4C],eax 00420295 81C3 18020000 add ebx,218 0042029B 8D4D B4 lea ecx,dword ptr ss:[ebp-4C] 0042029E FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004202A4 8B03 mov eax,dword ptr ds:[ebx] 004202A6 8B18 mov ebx,dword ptr ds:[eax] 004202A8 FF53 0C call dword ptr ds:[ebx+C] ; EDX=1,取得机器码 004202AB 8D45 B4 lea eax,dword ptr ss:[ebp-4C] 004202AE B9 08000000 mov ecx,8 004202B3 BA 01000000 mov edx,1 004202B8 E8 9BC70A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取得机器码的前8位字符 004202BD 8D45 B0 lea eax,dword ptr ss:[ebp-50] 004202C0 E8 77C80A00 call <ZnCycd.NumstrToHexvalue> ; 机器码前8位值:5E1F658,98694744 004202C5 8BD8 mov ebx,eax 004202C7 33C0 xor eax,eax 004202C9 8945 AC mov dword ptr ss:[ebp-54],eax 004202CC 8D55 AC lea edx,dword ptr ss:[ebp-54] 004202CF 52 push edx 004202D0 BA 16000000 mov edx,16 004202D5 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004202DB 8D45 FC lea eax,dword ptr ss:[ebp-4] 004202DE B9 01000000 mov ecx,1 004202E3 E8 70C70A00 call <ZnCycd.mid(str,x,y)ecx为长>; 取Z4,从伪注册码第22位取一个字符 004202E8 8D45 AC lea eax,dword ptr ss:[ebp-54] 004202EB E8 4CC80A00 call <ZnCycd.NumstrToHexvalue> 004202F0 83C0 07 add eax,7 ; Z4+7 004202F3 8B95 DCFEFFFF mov edx,dword ptr ss:[ebp-124] 004202F9 0FAFD8 imul ebx,eax ; machinecode(前8位)*(Z4+7) 004202FC 8BB2 F8020000 mov esi,dword ptr ds:[edx+2F8] 00420302 33C0 xor eax,eax 00420304 8945 A8 mov dword ptr ss:[ebp-58],eax 00420307 81C6 18020000 add esi,218 0042030D FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420313 BA 03000000 mov edx,3 ; index=3 00420318 8B06 mov eax,dword ptr ds:[esi] 0042031A 8D4D A8 lea ecx,dword ptr ss:[ebp-58] 0042031D 8B30 mov esi,dword ptr ds:[eax] 0042031F FF56 0C call dword ptr ds:[esi+C] ; index=3,取得字符“3” 00420322 8D45 A8 lea eax,dword ptr ss:[ebp-58] 00420325 E8 12C80A00 call <ZnCycd.NumstrToHexvalue> 0042032A 93 xchg eax,ebx 0042032B 99 cdq 0042032C F7FB idiv ebx ; machinecode(前8位)*(Z4+7)\3 0042032E 8985 BCFEFFFF mov dword ptr ss:[ebp-144],eax ; eax值为11A5E308 00420334 8D45 A8 lea eax,dword ptr ss:[ebp-58] 00420337 DB85 BCFEFFFF fild dword ptr ss:[ebp-144] ; 十进制值为296084232 0042033D BA 02000000 mov edx,2 00420342 D99D CCFEFFFF fstp dword ptr ss:[ebp-134] ; 堆栈浮点值:4D8D2F18 …… 004203A1 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 004203A4 D985 CCFEFFFF fld dword ptr ss:[ebp-134] ; 浮点值变化为296084224 004203AA DD1C24 fstp qword ptr ss:[esp] 004203AD E8 7AC20A00 call <ZnCycd.hextostr> ; 转化成字符串“296084224”,令其为S …… 004203ED 8D45 EC lea eax,dword ptr ss:[ebp-14] 004203F0 B9 08000000 mov ecx,8 004203F5 BA 01000000 mov edx,1 004203FA E8 59C60A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取字符串S前8位,设为S0 …… 00420438 B9 01000000 mov ecx,1 0042043D BA 1C000000 mov edx,1C 00420442 E8 11C60A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取W1,伪注册码第28位取一字符 00420447 8D45 94 lea eax,dword ptr ss:[ebp-6C] 0042044A 33D2 xor edx,edx 0042044C 50 push eax 0042044D 8955 9C mov dword ptr ss:[ebp-64],edx 00420450 8D4D 9C lea ecx,dword ptr ss:[ebp-64] 00420453 BA 13000000 mov edx,13 00420458 51 push ecx 00420459 B9 02000000 mov ecx,2 0042045E FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420464 8D45 FC lea eax,dword ptr ss:[ebp-4] 00420467 E8 ECC50A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Z1Z2,从伪注册码第19位取两位字符 0042046C 8D55 9C lea edx,dword ptr ss:[ebp-64] 0042046F 33C0 xor eax,eax 00420471 8945 98 mov dword ptr ss:[ebp-68],eax 00420474 8D4D 98 lea ecx,dword ptr ss:[ebp-68] 00420477 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 0042047D 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00420480 E8 57C20A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; 结果为X1X2Y1Y2Z1Z2 00420485 8D45 98 lea eax,dword ptr ss:[ebp-68] 00420488 33D2 xor edx,edx 0042048A 8955 90 mov dword ptr ss:[ebp-70],edx 0042048D 8D4D 90 lea ecx,dword ptr ss:[ebp-70] 00420490 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420496 5A pop edx 00420497 E8 40C20A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; 结果为X1X2Y1Y2Z1Z2W1 0042049C 8D55 90 lea edx,dword ptr ss:[ebp-70] …… 004204FB BA 03000000 mov edx,3 ; index=3 00420500 8B99 F8020000 mov ebx,dword ptr ds:[ecx+2F8] 00420506 8945 88 mov dword ptr ss:[ebp-78],eax 00420509 81C3 18020000 add ebx,218 0042050F FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420515 8D4D 88 lea ecx,dword ptr ss:[ebp-78] 00420518 8B03 mov eax,dword ptr ds:[ebx] 0042051A 8B18 mov ebx,dword ptr ds:[eax] 0042051C FF53 0C call dword ptr ds:[ebx+C] ; <ZnCycd.GetStrFromIndex(EDX)> 0042051F 8D45 88 lea eax,dword ptr ss:[ebp-78] 00420522 E8 15C60A00 call <ZnCycd.NumstrToHexvalue> ; 转换成3 00420527 50 push eax ; 保存3 00420528 33D2 xor edx,edx 0042052A 66:C785 F0FEFFF>mov word ptr ss:[ebp-110],0D4 00420533 8955 8C mov dword ptr ss:[ebp-74],edx 00420536 8D4D 8C lea ecx,dword ptr ss:[ebp-74] 00420539 51 push ecx 0042053A B9 01000000 mov ecx,1 0042053F FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420545 BA 18000000 mov edx,18 0042054A 8D45 FC lea eax,dword ptr ss:[ebp-4] 0042054D E8 06C50A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Z6,从伪注册码第24位取一位字符 00420552 8D45 8C lea eax,dword ptr ss:[ebp-74] 00420555 E8 E2C50A00 call <ZnCycd.NumstrToHexvalue> 0042055A 83C0 07 add eax,7 ; Z6+7 0042055D 5A pop edx ; 取出3 0042055E 8BCA mov ecx,edx 00420560 99 cdq 00420561 F7F9 idiv ecx ; (Z6+7)\3 00420563 8BD8 mov ebx,eax 00420565 8D45 EC lea eax,dword ptr ss:[ebp-14] 00420568 E8 CFC50A00 call <ZnCycd.NumstrToHexvalue> ; 转换字符串S0为HEX值,为1C3C9E6 0042056D 0FAFD8 imul ebx,eax ; S0×[(Z6+7)\3] 00420570 899D B8FEFFFF mov dword ptr ss:[ebp-148],ebx 00420576 8D45 88 lea eax,dword ptr ss:[ebp-78] 00420579 DB85 B8FEFFFF fild dword ptr ss:[ebp-148] ; 值为70F2798h,118433688 0042057F BA 02000000 mov edx,2 00420584 D99D CCFEFFFF fstp dword ptr ss:[ebp-134] ; 浮点数为4CE1E4F3,十进制为118422688 0042058A FF8D FCFEFFFF dec dword ptr ss:[ebp-104] 00420590 E8 03C10A00 call ZnCycd.004CC698 00420595 FF8D FCFEFFFF dec dword ptr ss:[ebp-104] 0042059B 8D45 8C lea eax,dword ptr ss:[ebp-74] 0042059E BA 02000000 mov edx,2 004205A3 E8 F0C00A00 call ZnCycd.004CC698 004205A8 66:C785 F0FEFFF>mov word ptr ss:[ebp-110],0E0 004205B1 83C4 F8 add esp,-8 004205B4 8D45 84 lea eax,dword ptr ss:[ebp-7C] 004205B7 D985 CCFEFFFF fld dword ptr ss:[ebp-134] ; 值变化为118433688 004205BD DD1C24 fstp qword ptr ss:[esp] 004205C0 E8 67C00A00 call <ZnCycd.hextostr> ; S0运算后转换为字符串“118433688”,设为S' …… 00420603 B9 01000000 mov ecx,1 00420608 BA 22000000 mov edx,22 0042060D E8 46C40A00 call <ZnCycd.mid(str,x,y)ecx为长度,e> 00420612 8D55 80 lea edx,dword ptr ss:[ebp-80] ; 取W7,伪注册码第34位取1位字符 00420615 33C0 xor eax,eax 00420617 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax 0042061D 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84] 00420623 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420629 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0042062C E8 ABC00A00 call <ZnCycd.strcat(str1,str2)ecx>; X1X2Y1Y2Z1Z2W1W7 00420631 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84] …… 00420689 B9 08000000 mov ecx,8 0042068E BA 01000000 mov edx,1 00420693 E8 C0C30A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取字符串S'前8位 00420698 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88] ; 字符串S'前八位 0042069E 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; 字符串X1X2Y1Y2Z1Z2W1W7 004206A1 E8 DAC00A00 call <ZnCycd.strcmp(eax,edx),相等返回值eax为0> ; 第一次验证 004206A6 50 push eax 004206A7 FF8D FCFEFFFF dec dword ptr ss:[ebp-104] 004206AD 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88] 004206B3 BA 02000000 mov edx,2 004206B8 E8 DBBF0A00 call ZnCycd.004CC698 004206BD 59 pop ecx 004206BE 84C9 test cl,cl 004206C0 0F84 62010000 je ZnCycd.00420828 ; 不跳over …… 从下面开始运算注册码字符写入注册表,等待程序重新启动时验证 00420828 66:C785 F0FEFFF>mov word ptr ss:[ebp-110],128 00420831 33C0 xor eax,eax 00420833 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC] 00420839 8985 44FFFFFF mov dword ptr ss:[ebp-BC],eax 0042083F 52 push edx 00420840 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420846 BA 15000000 mov edx,15 0042084B 8D45 FC lea eax,dword ptr ss:[ebp-4] 0042084E B9 04000000 mov ecx,4 00420853 E8 00C20A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Z3Z4Z5Z6 00420858 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] 0042085E 33D2 xor edx,edx 00420860 50 push eax 00420861 8995 4CFFFFFF mov dword ptr ss:[ebp-B4],edx 00420867 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4] 0042086D BA 0C000000 mov edx,0C 00420872 51 push ecx 00420873 B9 06000000 mov ecx,6 00420878 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 0042087E 8D45 FC lea eax,dword ptr ss:[ebp-4] 00420881 E8 D2C10A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Y3Y4Y5Y6Y7Y8 00420886 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-B4] 0042088C 33D2 xor edx,edx 0042088E 50 push eax 0042088F 8995 54FFFFFF mov dword ptr ss:[ebp-AC],edx 00420895 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC] 0042089B BA 07000000 mov edx,7 004208A0 51 push ecx 004208A1 B9 02000000 mov ecx,2 004208A6 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004208AC 8D45 FC lea eax,dword ptr ss:[ebp-4] 004208AF E8 A4C10A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取X7X8 004208B4 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC] 004208BA 33D2 xor edx,edx 004208BC 50 push eax 004208BD 8995 5CFFFFFF mov dword ptr ss:[ebp-A4],edx 004208C3 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4] 004208C9 BA 03000000 mov edx,3 004208CE 51 push ecx 004208CF B9 01000000 mov ecx,1 004208D4 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004208DA 8D45 FC lea eax,dword ptr ss:[ebp-4] 004208DD E8 76C10A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取X3 004208E2 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-A4] 004208E8 33D2 xor edx,edx 004208EA 50 push eax 004208EB 8995 64FFFFFF mov dword ptr ss:[ebp-9C],edx 004208F1 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C] 004208F7 BA 04000000 mov edx,4 004208FC 51 push ecx 004208FD B9 02000000 mov ecx,2 00420902 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420908 8D45 FC lea eax,dword ptr ss:[ebp-4] 0042090B E8 48C10A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取X4X5 00420910 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C] 00420916 33D2 xor edx,edx 00420918 50 push eax 00420919 8995 68FFFFFF mov dword ptr ss:[ebp-98],edx 0042091F 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98] 00420925 BA 06000000 mov edx,6 0042092A 51 push ecx 0042092B B9 01000000 mov ecx,1 00420930 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420936 8D45 FC lea eax,dword ptr ss:[ebp-4] 00420939 E8 1AC10A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取X6 0042093E 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98] 00420944 33D2 xor edx,edx 00420946 8995 60FFFFFF mov dword ptr ss:[ebp-A0],edx 0042094C 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0] 00420952 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420958 5A pop edx 00420959 E8 7EBD0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; 重新组合字符串得X6X4X5 0042095E 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0] 00420964 33C9 xor ecx,ecx 00420966 898D 58FFFFFF mov dword ptr ss:[ebp-A8],ecx 0042096C 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8] 00420972 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420978 5A pop edx 00420979 E8 5EBD0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; X6X4X5X3 0042097E 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8] 00420984 33D2 xor edx,edx 00420986 8995 50FFFFFF mov dword ptr ss:[ebp-B0],edx 0042098C 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0] 00420992 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420998 5A pop edx 00420999 E8 3EBD0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; X6X4X5X3X7X8 0042099E 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0] 004209A4 33C9 xor ecx,ecx 004209A6 898D 48FFFFFF mov dword ptr ss:[ebp-B8],ecx 004209AC 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8] 004209B2 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004209B8 5A pop edx 004209B9 E8 1EBD0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; X6X4X5X3X7X8Y3Y4Y5Y6Y7Y8 004209BE 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8] 004209C4 33D2 xor edx,edx 004209C6 8995 40FFFFFF mov dword ptr ss:[ebp-C0],edx 004209CC 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0] 004209D2 FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 004209D8 5A pop edx 004209D9 E8 FEBC0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; X6X4X5X3X7X8Y3Y4Y5Y6Y7Y8Z3Z4Z5Z6,组合字符串S1 …… 00420AFF B9 02000000 mov ecx,2 00420B04 BA 23000000 mov edx,23 00420B09 E8 4ABF0A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取W8 00420B0E 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0] 00420B14 33D2 xor edx,edx 00420B16 50 push eax 00420B17 8995 38FFFFFF mov dword ptr ss:[ebp-C8],edx 00420B1D 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8] 00420B23 BA 1D000000 mov edx,1D 00420B28 51 push ecx 00420B29 B9 05000000 mov ecx,5 00420B2E FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420B34 8D45 FC lea eax,dword ptr ss:[ebp-4] 00420B37 E8 1CBF0A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取W2W3W4W5W6 00420B3C 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8] 00420B42 33D2 xor edx,edx 00420B44 50 push eax 00420B45 8995 3CFFFFFF mov dword ptr ss:[ebp-C4],edx 00420B4B 8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4] 00420B51 BA 19000000 mov edx,19 00420B56 51 push ecx 00420B57 B9 02000000 mov ecx,2 00420B5C FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420B62 8D45 FC lea eax,dword ptr ss:[ebp-4] 00420B65 E8 EEBE0A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取Z7Z8 00420B6A 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-C4] 00420B70 33D2 xor edx,edx 00420B72 8995 34FFFFFF mov dword ptr ss:[ebp-CC],edx 00420B78 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC] 00420B7E FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420B84 5A pop edx 00420B85 E8 52BB0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; Z7Z8W2W3W4W5W6 00420B8A 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC] 00420B90 33C9 xor ecx,ecx 00420B92 898D 2CFFFFFF mov dword ptr ss:[ebp-D4],ecx 00420B98 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4] 00420B9E FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420BA4 5A pop edx 00420BA5 E8 32BB0A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; Z7Z8W2W3W4W5W6W8,组合字符串S2 00420BAA 8D95 2CFFFFFF lea edx,dword ptr ss:[ebp-D4] …… 00420C26 66:C785 F0FEFFF>mov word ptr ss:[ebp-110],140 00420C2F BA 9AAA4E00 mov edx,ZnCycd.004EAA9A ; 8个空格 00420C34 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8] …… 00420C72 BB 01000000 mov ebx,1 ; ebx=1 00420C77 66:C785 F0FEFFF>mov word ptr ss:[ebp-110],14C 00420C80 33C0 xor eax,eax 00420C82 8D95 24FFFFFF lea edx,dword ptr ss:[ebp-DC] 00420C88 8985 24FFFFFF mov dword ptr ss:[ebp-DC],eax 00420C8E 52 push edx 00420C8F FF85 FCFEFFFF inc dword ptr ss:[ebp-104] 00420C95 8BD3 mov edx,ebx ; 循环,EDX值变化 00420C97 8D45 F4 lea eax,dword ptr ss:[ebp-C] 00420C9A B9 02000000 mov ecx,2 00420C9F E8 B4BD0A00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 从S1 EDX位置取两个字符,第一次为X6X4 00420CA4 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC] 00420CAA E8 8DBE0A00 call <ZnCycd.NumstrToHexvalue> 00420CAF 50 push eax 00420CB0 8D7B 01 lea edi,dword ptr ds:[ebx+1] 00420CB3 D1FF sar edi,1 ; edi/2 00420CB5 79 03 jns short ZnCycd.00420CBA 00420CB7 83D7 00 adc edi,0 00420CBA 57 push edi 00420CBB 8D45 EC lea eax,dword ptr ss:[ebp-14] 00420CBE 50 push eax 00420CBF E8 F4B60A00 call ZnCycd.004CC3B8 00420CC4 83C4 08 add esp,8 00420CC7 8D45 EC lea eax,dword ptr ss:[ebp-14] 00420CCA E8 99BB0A00 call ZnCycd.004CC868 00420CCF 037D EC add edi,dword ptr ss:[ebp-14] ; [0012F1A4]=098DC738, (ASCII " ") 00420CD2 4F dec edi 00420CD3 5A pop edx 00420CD4 0217 add dl,byte ptr ds:[edi] ; dl+20h,共有8个空格(20h) 00420CD6 80C2 03 add dl,3 ; dl+3 00420CD9 8D4B 01 lea ecx,dword ptr ds:[ebx+1] 00420CDC D1F9 sar ecx,1 00420CDE 79 03 jns short ZnCycd.00420CE3 00420CE0 83D1 00 adc ecx,0 00420CE3 2AD1 sub dl,cl ;减去计数器 00420CE5 52 push edx 00420CE6 8D73 01 lea esi,dword ptr ds:[ebx+1] 00420CE9 D1FE sar esi,1 00420CEB 79 03 jns short ZnCycd.00420CF0 00420CED 83D6 00 adc esi,0 00420CF0 56 push esi 00420CF1 8D45 EC lea eax,dword ptr ss:[ebp-14] 00420CF4 50 push eax 00420CF5 E8 BEB60A00 call ZnCycd.004CC3B8 00420CFA 83C4 08 add esp,8 00420CFD 8D45 EC lea eax,dword ptr ss:[ebp-14] 00420D00 E8 63BB0A00 call ZnCycd.004CC868 00420D05 0375 EC add esi,dword ptr ss:[ebp-14] 00420D08 5A pop edx 00420D09 4E dec esi 00420D0A 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC] 00420D10 8816 mov byte ptr ds:[esi],dl ; 字符变换保存 00420D12 BA 02000000 mov edx,2 00420D17 FF8D FCFEFFFF dec dword ptr ss:[ebp-104] 00420D1D E8 76B90A00 call ZnCycd.004CC698 00420D22 83C3 02 add ebx,2 00420D25 83FB 0F cmp ebx,0F ; 从字符串S1变换为8个字符S1’ 00420D28 ^ 0F8E 49FFFFFF jle ZnCycd.00420C77 上面这个循环,S1每两位字符转换为数字加上23h-计数器:val(S1(2))+23h-计数器 00420D2E 837D F0 00 cmp dword ptr ss:[ebp-10],0 00420D32 74 08 je short ZnCycd.00420D3C …… 00420D9A 4E dec esi 00420D9B 83FB 03 cmp ebx,3 00420D9E 8816 mov byte ptr ds:[esi],dl ; 变换S2为S2',这不用跟啦,程序重启时要还原成S2 00420DA0 7E 3F jle short ZnCycd.00420DE1 00420DA2 8BFB mov edi,ebx …… 00420ECD 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8] 00420ED3 8D55 F0 lea edx,dword ptr ss:[ebp-10] 00420ED6 E8 01B80A00 call <ZnCycd.strcat(str1,str2)ecx=^eax+^edx> ; S1'+S2' 下面把S1’+S2’字符组合写入注册表,位置为:[HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\ODBC Data Sources] "severId"="L@X!I~<p04,046-1" 然后程序重启进行第二次和第三次验证 程序重启下断:BP RegQueryValueExA,当OllyDbg出现“severId”字样时进入主程序到 0040B071 E8 66170A00 call <ZnCycd.RegReadStr> ; 从注册表读入S1'+S2’字符串 0040B076 FF4D 9C dec dword ptr ss:[ebp-64] 0040B079 8D45 E8 lea eax,dword ptr ss:[ebp-18] 0040B07C BA 02000000 mov edx,2 0040B081 E8 12160C00 call ZnCycd.004CC698 0040B086 66:C745 90 5000 mov word ptr ss:[ebp-70],50 0040B08C 837D EC 00 cmp dword ptr ss:[ebp-14],0 0040B090 74 08 je short ZnCycd.0040B09A 0040B092 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; 注册表字符串S1'+S2' 0040B095 8B41 FC mov eax,dword ptr ds:[ecx-4] ; 字符串长度 …… 0040B0B7 B9 08000000 mov ecx,8 0040B0BC BA 01000000 mov edx,1 0040B0C1 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040B0C4 E8 8F190C00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置> ; 取S1' …… 0040B101 /74 08 je short ZnCycd.0040B10B 0040B103 |8B55 F8 mov edx,dword ptr ss:[ebp-8] ; S1' 0040B106 |8B4A FC mov ecx,dword ptr ds:[edx-4] ; S1'长度 0040B109 |EB 02 jmp short ZnCycd.0040B10D 0040B10B \33C9 xor ecx,ecx 0040B10D 898D 74FFFFFF mov dword ptr ss:[ebp-8C],ecx 0040B113 BF 01000000 mov edi,1 0040B118 3BBD 74FFFFFF cmp edi,dword ptr ss:[ebp-8C] 0040B11E 0F8F B2000000 jg ZnCycd.0040B1D6 0040B124 83FF 05 cmp edi,5 0040B127 7D 51 jge short ZnCycd.0040B17A 0040B129 89BD 70FFFFFF mov dword ptr ss:[ebp-90],edi ; 运算S1'前四个字符,每个字符+3 0040B12F 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-90] 0040B135 50 push eax 0040B136 8D55 F8 lea edx,dword ptr ss:[ebp-8] 0040B139 52 push edx 0040B13A E8 79120C00 call ZnCycd.004CC3B8 0040B13F 83C4 08 add esp,8 0040B142 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B145 E8 1E170C00 call ZnCycd.004CC868 0040B14A 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-90] 0040B150 E8 B4E0C700 call ZnCycd.01089209 0040B155 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B158 4A dec edx 0040B159 8A0A mov cl,byte ptr ds:[edx] 0040B15B 80C1 03 add cl,3 ; cl+3 0040B15E 51 push ecx ; 保存运算值 0040B15F 53 push ebx 0040B160 50 push eax 0040B161 E8 52120C00 call ZnCycd.004CC3B8 0040B166 83C4 08 add esp,8 0040B169 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B16C E8 F7160C00 call ZnCycd.004CC868 0040B171 035D F8 add ebx,dword ptr ss:[ebp-8] 0040B174 4B dec ebx 0040B175 5A pop edx ; 取出运算值 0040B176 8813 mov byte ptr ds:[ebx],dl 0040B178 EB 4F jmp short ZnCycd.0040B1C9 0040B17A 89BD 6CFFFFFF mov dword ptr ss:[ebp-94],edi ; 运算S1'后四个字符,每个字符+2 0040B180 8B8D 6CFFFFFF mov ecx,dword ptr ss:[ebp-94] 0040B186 51 push ecx 0040B187 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B18A 50 push eax 0040B18B E8 28120C00 call ZnCycd.004CC3B8 0040B190 83C4 08 add esp,8 0040B193 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B196 E8 CD160C00 call ZnCycd.004CC868 0040B19B 8B95 6CFFFFFF mov edx,dword ptr ss:[ebp-94] 0040B1A1 E8 69E0C700 call ZnCycd.0108920F 0040B1A6 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B1A9 4A dec edx 0040B1AA 8A0A mov cl,byte ptr ds:[edx] 0040B1AC 80C1 02 add cl,2 ; cl+2 0040B1AF 51 push ecx 0040B1B0 53 push ebx 0040B1B1 50 push eax 0040B1B2 E8 01120C00 call ZnCycd.004CC3B8 0040B1B7 83C4 08 add esp,8 0040B1BA 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B1BD E8 A6160C00 call ZnCycd.004CC868 0040B1C2 035D F8 add ebx,dword ptr ss:[ebp-8] 0040B1C5 4B dec ebx 0040B1C6 5A pop edx 0040B1C7 8813 mov byte ptr ds:[ebx],dl 0040B1C9 47 inc edi 0040B1CA 3BBD 74FFFFFF cmp edi,dword ptr ss:[ebp-8C] 0040B1D0 ^ 0F8E 4EFFFFFF jle ZnCycd.0040B124 ; 字符串运算,字符串S1’经运算后得字符串S4 0040B1D6 C685 6BFFFFFF 6>mov byte ptr ss:[ebp-95],61 ; 输入61h,字符“a” 0040B1DD 66:C745 90 5000 mov word ptr ss:[ebp-70],50 0040B1E3 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; 字符串S4 0040B1E7 74 08 je short ZnCycd.0040B1F1 0040B1E9 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; S4 0040B1EC 8B41 FC mov eax,dword ptr ds:[ecx-4] ; S4长度 …… 0040B218 0FBE0A movsx ecx,byte ptr ds:[edx] ; S4首字符带符号输入ECX 0040B21B 8B90 00040000 mov edx,dword ptr ds:[eax+400] 0040B221 83C1 FE add ecx,-2 ; ecx-2 0040B224 894A 0C mov dword ptr ds:[edx+C],ecx ; 保存ECX作为第三处验证字符,设为R3(4dh) 0040B227 BF 02000000 mov edi,2 0040B22C 3BBD 64FFFFFF cmp edi,dword ptr ss:[ebp-9C] 0040B232 7F 38 jg short ZnCycd.0040B26C 0040B234 8BDF mov ebx,edi ;对S4第2、4、6、8位字符运算循环 0040B236 53 push ebx 0040B237 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B23A 50 push eax 0040B23B E8 78110C00 call ZnCycd.004CC3B8 0040B240 83C4 08 add esp,8 0040B243 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B246 E8 1D160C00 call ZnCycd.004CC868 0040B24B 035D F8 add ebx,dword ptr ss:[ebp-8] 0040B24E 4B dec ebx 0040B24F 8A95 6BFFFFFF mov dl,byte ptr ss:[ebp-95] ; 保存的字符“a”,ASC值61h,作为参数 0040B255 2A13 sub dl,byte ptr ds:[ebx] ; 对S4第2、4、6、8位字符进行计算 0040B257 8BCF mov ecx,edi 0040B259 02D1 add dl,cl ; dl+字符在S4位置 0040B25B 8895 6BFFFFFF mov byte ptr ss:[ebp-95],dl ; 计算后最后保存值为1C,设为N 0040B261 83C7 02 add edi,2 0040B264 3BBD 64FFFFFF cmp edi,dword ptr ss:[ebp-9C] 0040B26A ^ 7E C8 jle short ZnCycd.0040B234 0040B26C 66:C745 90 7400 mov word ptr ss:[ebp-70],74 …… 0040B27E BA 09000000 mov edx,9 0040B283 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040B286 B9 09000000 mov ecx,9 0040B28B E8 C8170C00 call <ZnCycd.mid(str,x,y)ecx为长度,edx为位置>; 从注册表取出S2' …… 0040B2B1 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; S2' 0040B2B4 8B41 FC mov eax,dword ptr ds:[ecx-4] ; S2'长度 0040B2B7 EB 02 jmp short ZnCycd.0040B2BB 0040B2B9 33C0 xor eax,eax 0040B2BB 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax 0040B2C1 BF 01000000 mov edi,1 0040B2C6 3BBD 74FFFFFF cmp edi,dword ptr ss:[ebp-8C] 0040B2CC 0F8F B0000000 jg ZnCycd.0040B382 0040B2D2 89BD 60FFFFFF mov dword ptr ss:[ebp-A0],edi 下面对字符串S2’进行运算,还原成S2 …… 0040B373 8813 mov byte ptr ds:[ebx],dl 0040B375 47 inc edi 0040B376 3BBD 74FFFFFF cmp edi,dword ptr ss:[ebp-8C] 0040B37C ^ 0F8E 50FFFFFF jle ZnCycd.0040B2D2 ; 还原S2 0040B382 8D45 F8 lea eax,dword ptr ss:[ebp-8] ;到这还原成S2 0040B385 83CA FF or edx,FFFFFFFF 0040B388 E8 FF170C00 call <ZnCycd.strNumtoHexValue> ; 字符串S2转换成HexValue 0040B38D 66:C745 90 5000 mov word ptr ss:[ebp-70],50 0040B393 40 inc eax ; eax+1 0040B394 0F84 41050000 je ZnCycd.0040B8DB ; 比较HEX值是否为FFFFFFFF? …… 0040B3D7 BA 01000000 mov edx,1 ; EDX=1 index=1 0040B3DC 8B18 mov ebx,dword ptr ds:[eax] 0040B3DE FF53 0C call dword ptr ds:[ebx+C] ; index=1,取得机器码字符串“986947440” 0040B3E1 8D45 DC lea eax,dword ptr ss:[ebp-24] 0040B3E4 B9 08000000 mov ecx,8 0040B3E9 BA 01000000 mov edx,1 0040B3EE E8 65160C00 call <ZnCycd.mid(str,x,y)ecx为长度,ed>; 取机器码前8位字符 0040B3F3 8D45 D8 lea eax,dword ptr ss:[ebp-28] 0040B3F6 E8 41170C00 call <ZnCycd.NumstrToHexvalue> ; 机器码前8位字符转换成十六进制值 0040B3FB 8BD0 mov edx,eax 0040B3FD C1E0 03 shl eax,3 ; 机器码前8位×8 0040B400 2BC2 sub eax,edx ; 相当于机器码前8位×7 0040B402 B9 03000000 mov ecx,3 ;ecx=3 0040B407 99 cdq 0040B408 F7F9 idiv ecx ;机器码前8位×7\3 0040B40A 8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax ; 保存运算结果值为DB9E978,设为M …… 0040B467 33D2 xor edx,edx ; EDX=0 index=0 0040B469 8B18 mov ebx,dword ptr ds:[eax] 0040B46B FF53 0C call dword ptr ds:[ebx+C] ; index=0,取得字符串“1000000” 0040B46E 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0040B471 E8 C6160C00 call <ZnCycd.NumstrToHexvalue> 0040B476 50 push eax 0040B477 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-A8] ; 取出M 0040B47D 5A pop edx ; 值1000000,hexvalue:f4240h 0040B47E 8BCA mov ecx,edx 0040B480 99 cdq 0040B481 F7F9 idiv ecx ; M mod 1000000(f4240h) 0040B483 8995 58FFFFFF mov dword ptr ss:[ebp-A8],edx ; 保存余数,为463F8h,设为R …… 0040B4CA BA 02000000 mov edx,2 ; index=2 0040B4CF 8B18 mov ebx,dword ptr ds:[eax] 0040B4D1 FF53 0C call dword ptr ds:[ebx+C] ; index=2,取得字符串“97” 0040B4D4 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0040B4D7 E8 60160C00 call <ZnCycd.NumstrToHexvalue> ; 字符串97变为十六进制61h 0040B4DC 0FBE95 6BFFFFFF movsx edx,byte ptr ss:[ebp-95] ; 取出N,edx值为1Ch 0040B4E3 83C2 F9 add edx,-7 ; 1C-7=15h 0040B4E6 B9 03000000 mov ecx,3 ; ecx=3 0040B4EB F7EA imul edx ; 61h×15h=7f5h 0040B4ED 99 cdq 0040B4EE F7F9 idiv ecx ; 7f5h\3=2a7h 0040B4F0 2985 58FFFFFF sub dword ptr ss:[ebp-A8],eax ; R(463F8h)-2A7h=46151h,设为R1(46151h) …… 0040B529 33D2 xor edx,edx ; index=0 0040B52B 8B03 mov eax,dword ptr ds:[ebx] 0040B52D 8B18 mov ebx,dword ptr ds:[eax] 0040B52F FF53 0C call dword ptr ds:[ebx+C] ; index为0,取得字符串“1000000” 0040B532 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040B535 E8 02160C00 call <ZnCycd.NumstrToHexvalue> 0040B53A D1F8 sar eax,1 ; 1000000/2=7A120h,设为L 0040B53C 79 03 jns short ZnCycd.0040B541 0040B53E 83D0 00 adc eax,0 0040B541 3B85 58FFFFFF cmp eax,dword ptr ss:[ebp-A8] ; eax=L(7a120h),与R1(46151h)比较 0040B547 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040B54A 0F9FC2 setg dl ; 设置标志 0040B54D 83E2 01 and edx,1 0040B550 52 push edx 0040B551 BA 02000000 mov edx,2 0040B556 FF4D 9C dec dword ptr ss:[ebp-64] 0040B559 E8 3A110C00 call ZnCycd.004CC698 0040B55E 59 pop ecx 0040B55F 84C9 test cl,cl ; L≤R1则跳 0040B561 74 51 je short ZnCycd.0040B5B4 0040B563 66:C745 90 BC00 mov word ptr ss:[ebp-70],0BC 0040B569 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84] 0040B56F 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 0040B572 8B98 80030000 mov ebx,dword ptr ds:[eax+380] 0040B578 E8 AADCC700 call ZnCycd.01089227 0040B57D 81C3 18020000 add ebx,218 0040B583 FF45 9C inc dword ptr ss:[ebp-64] 0040B586 33D2 xor edx,edx ; index=0 0040B588 8B03 mov eax,dword ptr ds:[ebx] 0040B58A 8B18 mov ebx,dword ptr ds:[eax] 0040B58C FF53 0C call dword ptr ds:[ebx+C] 0040B58F 8D45 C8 lea eax,dword ptr ss:[ebp-38] 0040B592 E8 A5150C00 call <ZnCycd.NumstrToHexvalue> 0040B597 D1F8 sar eax,1 0040B599 79 03 jns short ZnCycd.0040B59E 0040B59B 83D0 00 adc eax,0 0040B59E 0185 58FFFFFF add dword ptr ss:[ebp-A8],eax ; 46151h+7a120h=c0271h,设为R2,R2=iif(L>R1,L+R1,R1) 0040B5A4 FF4D 9C dec dword ptr ss:[ebp-64] 0040B5A7 8D45 C8 lea eax,dword ptr ss:[ebp-38] 0040B5AA BA 02000000 mov edx,2 0040B5AF E8 E4100C00 call ZnCycd.004CC698 0040B5B4 66:C745 90 C800 mov word ptr ss:[ebp-70],0C8 0040B5BA 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84] 0040B5C0 33C0 xor eax,eax 0040B5C2 BA 02000000 mov edx,2 ; index=2 0040B5C7 8B99 80030000 mov ebx,dword ptr ds:[ecx+380] 0040B5CD 8945 C4 mov dword ptr ss:[ebp-3C],eax 0040B5D0 81C3 18020000 add ebx,218 0040B5D6 FF45 9C inc dword ptr ss:[ebp-64] 0040B5D9 8D4D C4 lea ecx,dword ptr ss:[ebp-3C] 0040B5DC 8B03 mov eax,dword ptr ds:[ebx] 0040B5DE 8B18 mov ebx,dword ptr ds:[eax] 0040B5E0 FF53 0C call dword ptr ds:[ebx+C] ; index=2,取得字符“97” 0040B5E3 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040B5E6 E8 51150C00 call <ZnCycd.NumstrToHexvalue> 0040B5EB 8BD8 mov ebx,eax ; ebx=61h 0040B5ED 0FAF9D 58FFFFFF imul ebx,dword ptr ss:[ebp-A8] ; 61h×R2(c0271h)=48cecd1h 0040B5F4 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040B5F7 E8 40150C00 call <ZnCycd.NumstrToHexvalue> ; S2字符串转换为HEX值 0040B5FC 3BD8 cmp ebx,eax ; 第二次验证,验证组合字符串S2 0040B5FE 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040B601 0F94C2 sete dl ; 设置标志 0040B604 83E2 01 and edx,1 0040B607 52 push edx 0040B608 BA 02000000 mov edx,2 0040B60D FF4D 9C dec dword ptr ss:[ebp-64] 0040B610 E8 83100C00 call ZnCycd.004CC698 0040B615 59 pop ecx 0040B616 84C9 test cl,cl 0040B618 0F84 B7020000 je ZnCycd.0040B8D5 ; 跳转over …… 0040DF4E 8B41 0C mov eax,dword ptr ds:[ecx+C] ; 取出R3,R3=4dh 0040DF51 B9 27000000 mov ecx,27 ; ecx=27h 0040DF56 99 cdq 0040DF57 F7F9 idiv ecx 0040DF59 83FA 02 cmp edx,2 ; EDX余数为2,第三处验证 0040DF5C 75 7E jnz short ZnCycd.0040DFDC ; 跳转over 目前只找出了三处验证,启动后程序显示为“标准版”。 |
| 地主 发表时间: 07-03-27 10:29 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]某国产成语辞典破解